“Cloud first” is the big trend in software hosting. First introduced as a government policy in 2010, it’s become the aim of a growing number of businesses. Cloud hosting provides economies of scale, around-the-clock professional management, and easy adaptation to growth. It can significantly improve security compared with on-premises hosting.
What about DDoS protection? The results are mixed. A large cloud provider has the resources to deal with attacks, so attempts that would disable a single-server website may go practically unnoticed. At the same time, it makes a website part of a bigger target.
The DDoS problem
A distributed denial of service attack uses many devices on the Internet to overwhelm a site with requests. The target gets so much input that it slows down severely, becomes unreachable, or crashes. Attacks can be direct or indirect. The best-known attack of 2016 targeted Dyn, a DNS service, on October 21. It severely affected major websites, including CCN, Twitter, Reddit, and Netflix, even though they weren’t directly touched. Without the ability to get domain mapping information, browsers couldn’t reach the sites.
Attacks come from “botnets,” large groups of computers infected with malware. The botnet may be scattered all over the world, but it’s under the direction of a “command and control” system. Software to direct DDoS attacks from botnets is easily available to criminals. The attack on Dyn used multiple botnets, with about 100,000 devices involved in the attack.
The problem will only get worse. Devices on the “Internet of Things” often have poor security and are easy to infect. High-speed connections let them do serious damage. The software keeps developing new ways to circumvent defenses.
Sophisticated DDoS software includes application-layer attacks, disabling systems not just with the sheer volume of data but with packets designed to consume the victim’s resources. For example, an attack might make repeated login attempts, not so much to break in as to force the server to keep checking the user database. Application layer attacks are also known as “Layer 7” attacks, because the application layer is layer 7 in the OSI model.
Cloud benefits and risks
In many ways, cloud services provide a better defense than on-premises or co-located servers. A cloud provider can allocate additional servers to cover spikes in demand. The difference between a demand spike and a DDoS attack is basically one of motivation, and the spare capacity will cover attacks and spikes alike, if they aren’t too large.
With a private server, it can take a long time just to notice that the attack is frustrating customers. Then it may be necessary to get the administrator out of bed. Reputable cloud services have constant monitoring, and technicians are always available, so a cloud data center can quickly detect and deal with a DDoS attack. Blocking the source or the type of traffic may fix the problem without difficulty.
Against these advantages, there are some risks that are peculiar to a cloud service. A business is sharing its service with many other customers, and if any one of them becomes a target, everyone who uses the same cloud resources will be pulled down. Someone could target the cloud service itself, for the sake of harming many customers with a single attack. The motives of people who carry out these attacks are hard to fathom; it could be blackmail, business advantage, a political cause, or glory among their peers. It’s equally hard to tell whom they’ll go after.
Websites often use multiple SaaS cloud services. A site might use one for managing sales, another for user interaction, a third for the help desk, and so on. The loss of any one of them might break the site. The more infrastructure a site uses, the larger its attack surface is.
SaaS uses a published API, and attackers can craft their methods to take advantage of known weaknesses in it. On the other hand, cloud providers can deploy security software to guard against attacks that are specific to their software. It’s an arms race.
Defense methods
Guarding against DDoS is a difficult thing. A sufficiently large attack can overwhelm any defense. Most attacks are far smaller than the headline-grabbers, though, and thoughtful planning can keep them from being more than annoyances.
Manual defenses, such as blocking IP addresses, aren’t very useful except against small-scale nuisances. Cloud services defend themselves using security software that recognizes attack patterns and adapts to them automatically. This includes protection against application-layer attacks directed at their APIs.
Distributed hosting is an effective defense. A content delivery network is harder to attack than a single point of entry.
Mitigation services are available separately from hosting and SaaS. They filter requests and block hostile traffic before it can reach the application servers. These services keep up on the latest attack methods and have the capacity to stop most large-scale attacks.
A site should be designed to degrade gracefully. If it can’t provide the normal level of service because of an attack, it should at least stay visible, with a message saying technical issues are temporarily causing problems. The site should give comprehensible error messages and not crash or leave users in an inconsistent state.
Dividing a site’s infrastructure into separately hosted parts can help to keep this level of visibility. It’s easier to keep the passive information (home page, “about us,” etc.) available if it’s separate from e-commerce and other interactive functions.
When choosing a cloud service, its ability to withstand DDoS attacks is an important factor. One with good monitoring, strong firewall and software protection, a highly skilled support staff, and ample reserve capacity will withstand most of the attacks that come its way.
Any site, large or small, can be a target. Adopting a cloud strategy reduces many risks, provided it’s set up properly. Planning ahead will make it easier to deal with any DDoS threats. Contact us to learn how we can help your business to set up a robust cloud infrastructure.